Section: New Results

Safety, Privacy, Trust, and Immunity to Cyberthreats

Participant : Gérard Le Lann.

Safety (significant reductions of severe accident figures) and traffic efficiency (smaller safe inter-vehicular gaps, higher occupancy of asphalt resources) are dual and antagonistic goals targeted with autonomous vehicles. On-board robotics and inter-vehicular communications (IVCs) are essential for achieving proactive and reactive safety (ability to influence behaviors and moves of nearby vehicles).

Existing US standards (WAVE) and European standards (ETSI ITS-G5) for IVCs based on omnidirectional radio technologies have been shown to be inadequate in this respect. Numerous publications demonstrate that they induce channel access delays which are unacceptably high in average and worst-case load or contention conditions. Periodic beaconing (the broadcasting of messages carrying identifiers, UTC time and GNSS positions) at frequencies ranging from 1 Hz to 10 Hz is mistakenly believed to provide every vehicle with a correct local dynamic map (LDM) giving the accurate geo-localizations of surrounding vehicles. Radio broadcasts are unreliable. Therefore, the LDMs of any two vehicles arbitrarily close to each other may differ. Safe coordination implies exact agreements (a.k.a. consensus), i.e. strictly identical LDMs. This has been shown to be impossible in asynchronous systems (WAVE/G5 networks) and in synchronous systems (deterministic MAC protocols) in the presence of message losses.

Periodic beaconing may lead to radio channel saturation. Furthermore, since GNSS coordinates are unencrypted, periodic beaconing atop WAVE/G5 favors eavesdropping and tracking, as well as cyberattacks from unknown distant entities (malicious vehicles or terrestrial nodes). Pseudonymous authentication based on asymmetric key pairs and certificates delivered by Public Key Infrastructures shall thwart such threats. Unfortunately, numerous problems are yet unsolved. Tracking and cyberattacks are feasible with the set of aforementioned solutions (referred to as WAVE 1.0).

In 2017, we have contributed to the work conducted by scientists and engineers in various countries, aimed at demonstrating that it is possible to achieve safety, privacy, trust, and immunity to cyberthreats altogether (no mitigation), following approaches that differ from WAVE 1.0. We are also working with experts who have expressed concerns regarding the risks of cyber-surveillance induced by WAVE 1.0 solutions when better solutions are available. Two essential observations are in order.

Firstly, networks of connected autonomous vehicles are instances of life-critical systems. Inevitably, future on-board (OB) systems will have to be designed in accordance with the segregation principle (a fundamental design rule in the domain of safety/life-critical systems). A critical sub-system must be isolated from a non-critical sub-system. In a vehicle, a critical sub-system hosts critical robotics and critical IVCs (novel IVC protocols and distributed algorithms for time-bounded decision-making and IV coordination). WAVE 1.0 solutions are implemented in the non-critical sub-system.

Secondly, only vehicles very close to each other may be involved in an accident. It follows that short-range and directional IVCs are necessary and sufficient for safety. In [25] and [27], we present IVC protocols and agreement algorithms that achieve small worst-case time bounds for longitudinal and lateral message dissemination within and across cohorts (spontaneous linear vehicular networks). These bounds are such that no vehicle moves by more than 1 asphalt slot while messages are being disseminated and agreements are reached, in the presence of message losses. A brief summary can be found in [38]. Similar IVC protocols and agreement algorithms can be devised for upcoming technologies, namely 5G radio communications (MIMO antennas) and optical communications ignored in WAVE 1.0 solutions.

These solutions (referred to as WAVE 2.0) have additional merits regarding cyberthreats. Remote cyberattacks cannot jeopardize safety (contrary to WAVE 1.0), given that OB critical sub-systems are isolated from the outside world. This is discussed in [24] and in [26]. In [26], we introduce an OB system architecture consistent with the segregation principle, which includes a tamper-proof device (for non-repudiation and accountability), and novel protocols for IVCs. In addition to pseudonymous authentication, sources and destinations of safety messages are fully anonymous, and certified pseudonyms can be used ad infinitum, thus circumventing the deficiencies of WAVE 1.0 solutions. With WAVE 2.0 solutions, proximate eavesdropping and tracking are unfeasible and vain. Also, we show that proximate cyberattacks (e.g., masquerading, injection of bogus data, falsification, Sybil attack) are immediately detected, and how to stop a malicious or misbehaving vehicle safely.

Our on-going research targets crossings of un-signaled intersections, roundabouts, and spontaneous formations of heterogeneous vehicular networks (SAE automation levels from 0 to 5), where properties of safety, efficiency, privacy and immunity to cyberattacks shall hold.